Security Guide for Cryptocurrency Exchanges
⚠️ IMPORTANT: Security is Priority #1
The main rule: Set up all security measures first, check all systems, and only then start operating the exchange. Security is more important than convenience.
Security is not paranoia; it is a necessity in the cryptocurrency space. Follow all recommendations strictly. The recommendations in this article are based on 10 years of experience as an exchange administrator, who also leads our training program.
1. 🖥️ Computer/Laptop Security
Basic Principles for Working with a Computer:
❌ DO NOT visit suspicious websites
❌ DO NOT download unknown software
✅ Use the computer only for work
✅ It is recommended to use macOS (a more secure system)
Antivirus Protection:
Recommended Antivirus: It is advisable to use a paid antivirus with data encryption features. Examples include ESET NOD32, Kaspersky Internet Security, or Dr. Web. The key is to have the necessary features for information protection.
⚠️ Important: Purchase the license only through VPN/proxy (not from a Russian IP)
When buying NOD32, avoid the Russian version PRO32 (less reliable)
Disk Encryption:
Create an encrypted disk using the antivirus
Store ALL work data only on the encrypted disk
DO NOT store data on regular Windows disks
Create backup copies on encrypted USB drives
Working with USB Drives:
Always format new flash drives before use
Format on a separate computer (not the work one)
Encrypt the flash drives with the same antivirus
⚠️ Danger: Even new flash drives can contain viruses
2. 🌐 Browser Configuration
Mandatory Security Settings:
Disable:
❌ Password manager
❌ Auto-save passwords
❌ Payment methods
❌ Automatic login
❌ ALL extensions (except those necessary for work)
Enable:
✅ Enhanced protection in the "Security" section
✅ All available privacy features
Extensions:
Minimum extensions (only VPN for work, if necessary)
DO NOT install even official extensions without extreme necessity
The only exception: programs for working with documents (PDF)
3. 🔐 Payment System Security
Two-Factor Authentication (2FA):
Mandatory for all services:
Exchanges and wallets: Maximum security levels must be set for all used services, including two-factor authentication (2FA) via an app (e.g., Google Authenticator) and linking to an email/phone number.
Email: 2FA via phone or authenticator
"Lock separately, key separately" rule:
DO NOT use 2FA on the same device where the wallet is open
Different devices for different security functions
Separate work phones only for 2FA
Work Phones:
At least 1-2 separate work phones
DO NOT use for personal calls/messages
Do not share work phone numbers with anyone
You can replace the number in existing services with the work number
4. 🖥️ Server and Admin Panel Security
Server Access:
SSH Keys:
DO NOT store access keys on the desktop
Store keys on a encrypted disk or separate flash drive
DO NOT share keys with anyone (except trusted technical specialists)
When sending keys via Telegram: immediately delete messages after the recipient has read them
Setting up 2FA for the server:
Enable 2FA for ROOT access
Enable 2FA for user access
Save QR codes and keys on an encrypted medium
Change passwords after training is completed
Password Requirements:
Minimum 15 characters
Uppercase and lowercase Latin letters
Numbers
At least 1-2 special characters (
@, #, !, etc.)
5. 📧 Telegram and Email Security
Setting Up Work Telegram:
Separate installation only for work
2FA enabled
Code words configured
Installed on work phone and laptop
Transmitting Confidential Information:
Transmit information only to trusted technical specialists
Immediately delete files after the recipient has read the message
Delete messages from both your and the recipient's accounts
DO NOT leave passwords in message history
Work Email:
Separate email only for work
Use a reliable email service for work (the email will be used for sending notifications from the server). Suitable options include Gmail, ProtonMail, or Yandex.Mail.
2FA via phone is mandatory
6. 📋 Data Storage Structure
Recommended File Structure:
📁 Work (on encrypted disk)
├── 📁 Server
│ ├── 📁 Server Access
│ │ ├── SSH Keys
│ │ ├── 2FA QR Codes
│ │ └── Passwords
│ └── 📁 Panel Settings
├── 📁 Payment Systems
│ ├── 📁 Exchanges
│ ├── 📁 Wallets
│ └── 📁 2FA Codes
└── 📁 Backups7. ✅ Security Checklist
Before Starting Work, Check:
Computer:
✅ Antivirus is installed and updated
✅ An encrypted disk has been created
✅ All work data is on the encrypted disk
✅ Browser is configured (password saving disabled, protection enabled)
✅ Minimum extensions
Accounts and Services:
✅ 2FA is enabled everywhere possible
✅ Separate work phones are set up
✅ Work Telegram is created
✅ Strong passwords are set everywhere
Server:
✅ 2FA for ROOT access
✅ 2FA for user access
✅ SSH keys are stored in a secure location
✅ Passwords changed after training
General Rules:
✅ Backups of the site and database are created
✅ All confidential data is deleted from chats
✅ The "lock separately, key separately" rule is followed
⚠️ Common Mistakes and How to Avoid Them
Novice Mistakes:
Neglecting basic security due to "inconvenience"
Using one device for all functions
Storing passwords in the browser or unencrypted files
Installing unnecessary extensions "for convenience"
Experienced User Mistakes:
Overconfidence and skipping checks
One-time violations of security protocols
Using personal devices for work tasks
🚨 In Case of an Incident
If a Data Breach Occurs:
Immediately change all passwords
Revoke access to all services
Check balances of all wallets
Create new wallets if necessary
Reinstall systems from scratch
Remember:
Recovering stolen cryptocurrency is nearly impossible
It's better to spend time on security than to lose funds
Every protocol violation is a risk of total loss
Last updated